Skip to content
ALTCHA ALTCHA ALTCHA

Security Vulnerability Disclosure Policy

We take security seriously and value the contributions of researchers who act in good faith to help protect our users. If you believe you have found a vulnerability in our services or software, we encourage you to report it responsibly so we can address it promptly.

Reporting a Vulnerability

Please email your findings to our security contacts. To ensure confidentiality, we recommend encrypting your report using our PGP key.

Your report should include:

  • A clear description of the vulnerability.
  • A working proof of concept or detailed steps to reproduce the issue.
  • Relevant logs, screenshots, or code snippets.

We will acknowledge receipt of your report within 5 business days and keep you informed about our investigation.

In-Scope

We prioritize reports that demonstrate a real, actionable security risk to our software, services, or infrastructure, such as:

  • Remote code execution (RCE)
  • Authentication bypass or privilege escalation
  • Server-side request forgery (SSRF)
  • Cross-site scripting (XSS) or CSRF with significant impact

Out-of-Scope

To minimize automated noise, the following are generally excluded from our review process:

  • Automated results: Reports generated by scanners that lack a manual, actionable proof of exploitability.
  • Configuration & Hygiene: Missing HTTP headers, TLS/SSL configurations, DNS records, or server banners.
  • Volume-based attacks: Denial of Service (DoS/DDoS) or rate-limiting issues.
  • Low-impact: Clickjacking on non-sensitive pages, or bugs requiring jailbroken devices/unsupported browsers.
  • Third-party: Issues in libraries or services not directly managed by us.

Responsible Disclosure Guidelines

To remain in good standing with our team, we ask that you:

  • Do not publicly disclose vulnerabilities before we have confirmed a fix.
  • Do not access, modify, or delete data that does not belong to you.
  • Avoid any actions that could degrade or disrupt our services.

We appreciate the efforts of the security community in helping us maintain a safe environment.

Disclaimer

This is a voluntary disclosure program rooted in the spirit of open-source collaboration. We operate this program to benefit the broader community and ensure the collective safety of our users. We do not offer any form of compensation for submitted reports. By submitting a report, you acknowledge that you are doing so without expectation of payment and waive any future claims for compensation.

Updated: Feb 4, 2026